OpenSSH 10.3 has been released, addressing two security issues including CVE-2026-35385, a privilege escalation vulnerability in the legacy SCP (Secure Copy Protocol) implementation that affects systems where administrators perform scp downloads as root. The flaw carries a CVSS score of 7.5 and is present in all versions of OpenSSH prior to 10.3.
The issue arises in legacy SCP mode β invoked with the -O flag β when downloading files as the root user without the -p (preserve modes) flag. Under these conditions, scp fails to clear the setuid and setgid permission bits from downloaded files. If an attacker controls the remote server from which files are being copied, they can upload a specially crafted file with setuid bits set. When an administrator then downloads that file using the vulnerable scp invocation and another user subsequently executes it, they gain elevated privileges.
Attack Conditions
For CVE-2026-35385 to be exploitable, several conditions must align: the attacker must control or compromise the remote server, the victim must be using legacy SCP mode (-O flag), the download must be performed as root, and the -p flag must not be specified. A separate user must then execute the downloaded file.
This attack chain is non-trivial but realistic in specific operational contexts. Administrators who routinely copy files between servers using root credentials and legacy SCP β common in older automation scripts and backup workflows that predate the newer SFTP-default behaviour β are the primary risk group. The concern is amplified in environments where downloaded files are placed in directories accessible to lower-privileged users or service accounts.
The legacy SCP mode itself is increasingly discouraged. Modern OpenSSH defaults to SFTP-based copy and legacy mode must be explicitly requested with -O. However, many operational environments retain scripts using the older invocation, particularly where compatibility with older SSH servers is required.
The Companion Vulnerability
OpenSSH 10.3 also patches CVE-2026-35386 (CVSS 3.6), which involves improper validation of shell metacharacters in usernames supplied on the command line. If shell metacharacters are present in a username, they can be expanded from %-tokens in an ssh_config file, potentially enabling arbitrary shell command execution in narrow circumstances. The low CVSS reflects the constrained conditions required for exploitation.
Affected Platforms and Distribution Patches
CVE-2026-35385 affects all OpenSSH versions prior to 10.3 across Linux distributions and macOS. Major distributions including Ubuntu and AlmaLinux have released backported patches. Organisations that pin to distribution-managed packages rather than upstream OpenSSH should apply the latest OpenSSH update for their distribution.
macOS ships with its own OpenSSH build; security teams managing macOS fleets should monitor Appleβs security update cycle for the patch.
Recommended Actions
- Update OpenSSH to 10.3 or apply the distribution-specific backport β patch using your standard package manager (
apt,dnf,yum) as soon as the patched version is available for your distribution - Audit scp usage in automation scripts and cron jobs β identify any scripts that use
scp -O(legacy mode) with root credentials; migrate these tosftporscpwithout the-Oflag where possible - Review file placement on download β if legacy SCP downloads to root-owned directories cannot be immediately migrated, ensure downloaded files are placed in directories not executable by lower-privileged users until integrity is verified
- Apply on macOS endpoints and servers β OpenSSH is a priority environment product; ensure patch status is tracked across both Linux servers and macOS endpoints in your fleet
- For Ubuntu environments β Ubuntu has released a patched OpenSSH package; run
apt upgrade openssh-client openssh-serverto apply
Share this article